域是什么,能做什么?
讲到域,首先我们要了解工作组的概念,一台安装windows操作系统的计算机,本来是独立的,为了便于互相传递共享文件,我们把计算机用网络连接起来,微软就给这么一群计算机电脑的网络起了个名字,叫做工作组。工作组中的计算机可以实现简单的文件共享和网络访问,但是一旦计算机数量多了,这种松散式管理的工作组将变得十分不方便了。比如找计算机困难,打开网上邻居,要找的计算机找不到;共享困难,设置共享麻烦,还需要告知共享文件的用户名和密码;没有统一的管理,计算机都是一个个信息孤岛,无法共同管理。
为了更好地解决这些问题,微软用一台或者多台服务器,把局域网中的各种可用的资源信息收集整理,例如计算机、打印机、共享文件夹目录、用户账户、各种权限设置等等,并用规范的目录列表的形式,发放给局域网中所有计算机电脑使用,而且这个目录列表是很灵活的,可以很方便地管理维护,彻底消除了工作组计算机的种种不方便。微软把这个灵活的目录列表,就叫做活动目录,也就是域(Domain),它还有一个英文名字叫Active Directory,大伙为了方便,有时也管它叫做AD、Windows AD、计算机域等。管理维护活动目录的服务器,就叫做域控制器,英文名字 Domain Controller,简称DC。
林、域、OU的关系
理解域信任关系
在同一个域内,成员服务器根据Active Directory中的用户账号,可以很容易地把资源分配给域内的用户。但一个域的作用范围毕竟有限,有些企业会用到多个域,那么在多域环境下,我们该如何进行资源的跨域分配呢?
两个域之间存在具备信任关系后,双方的用户便可以访问对方域内的资源,使用对方域的计算机登录。资源跨域分配的主流方法还是创建域信任关系,在两个域之间创建了信任关系后,资源的跨域分配就非常容易了。域信任关系是有方向性的,如果A域信任B域,那么A域的资源可以分配给B域的用户;但B域的资源并不能分配给A域的用户,如果想达到这个目的,需要让B域信任A域才可以。
单树/多树的选择
SWM: Can you define single forest vs. multi-forest Active Directory design?
Timashev: A single forest design is the simplest design. There is only one forest for the whole company network. In other words, all the network objects for the whole company are organized within a single forest. A single Active Directory forest design is easier to administer, provides lower support costs, and offers the best collaboration and messaging environment for the whole company. However, a single forest is the least secure design.
A multi-forest design is when the entire company's network is separated into several forests. It carries higher administrative and support costs, and complicates collaboration and messaging. However, it provides the highest level of security.
什么样的公司应该考虑多树架构的设计
SWM: What kinds of companies should consider a multi-forest design?
Timashev: Companies that might consider multi-forest designs are medium to large sized. They have more administrators, which increases the risk of having less supervision and the possibility of a rogue admin. Multi-forest designs will be most useful to financial, banking, insurance, healthcare and government services organizations. Of course, some of these fields are required by law or business practices to implement high levels of security.
